EU-US Privacy Shield will come into force on the 1st August and this now replaces the defunct Safe Harbour.
What has caused the delay?
Finally getting this over the line has been frustrating as it has met the resistance of the European Commission whose fault finding Article 29 Working Parties Opinion on this was delaying the final agreement.
This has now been given approval by the Article 31 Committee on 8th July and on 12th July the European Commission issued an “implementing decision” which ratifies that the Privacy Shield will be adopted.
Despite criticism from certain quarters during the negotiation phase this does now provide some certainty on how businesses can legally transfer personal data between the EU and US.
The Background
In February we covered the announcement of the hotly awaited replacement to the Safe Harbour in our post
EU-US Privacy Shield – Is data safe again?
The main obligations imposed on firms handling Europeans personal data are as follows:-
- Individual Notification
Businesses must inform individuals of their rights under the US-EU Privacy Shield and what rights they have including specific reference to how their particular data is processed
- Opt Out
Individuals can object to the disclosure of their personal data to third parties or for specific purposes.
- Responsibility for movement of personal data
This should be limited and made clear for what purpose this is going to be utilised. The level of protection of the data in this process must be no lesser to that set out under the Privacy Shield.
- Security Measures
These must be in place commensurate with the type and sensitivity of the data and how this will be processed.
- Access to Data
This must be possible and if amendments are required to the data then this must be carried out promptly.
- Data Integrity
Data must be set out in accordance to its’ relevance and end use, this must be up to date and accurate in all respects.
- Consequences of non adherence
Processes to be put in place to ensure that compliance is achieved and a system of redress with options for legal remedies.
A copy of the Framework Principles as issued by the US Department of Commerce is available at the link below
EU-US Privacy Shield Framework Principles
What will the impact of Brexit?
This is going to be one of the many issues that will need to be negotiated with the U.K. leaving the EU. The protection of personal data is a foremost consideration all around the world today and this geographical location is no exception.
Would the UK now need to negotiate a separate Privacy Shield with the US – will we therefore see a US-UK Privacy Shield?
How does this interact with the General Data Protection Regulations that come info force on 25th May 2017? The UK will need to implement similar data protection regulations when dealing with the EU and the personal data of individuals within these European States. Data from the EU may also circulate via the UK to the US which is a further dilemma that will need to be addressed.
Can Cyber Insurance Help?
This form of policy provides protection for loss of personal data for such scenarios as a result of a hacker attack , the inadvertent loss of data by an employee or the destruction of data by a malicious act. The post breach response vendors provided by insurers also provides a significant benefit to businesses.
Cyber Insurance can therefore play a role in mitigating the impact of a data loss irrespective of the changing legal landscape that is evolving.
The underlying message to the business environment is that they must have heighten awareness and be very much ” En Garde” as to the dynamic changes on how data is processed and protected and the pitfalls of non-compliance.